A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. References: https://www.openwall.com/lists/oss-security/2019/06/04/1 https://exim.org/static/doc/security/CVE-2019-10149.txt
Acknowledgments: Name: Qualys Research Labs
As per the reporter: "Exim is vulnerable by default since version 4.87 (released on April 6,2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019)" Therefore lower versions of exim (Red Hat Enterprise Linux ships exim-4.63) are not affected by this flaw.
Statement: Exim is vulnerable since version 4.87, therefore the version of exim package (exim-4.63) shipped with Red Hat Enterprise Linux 5 is not affected by this flaw.
Created exim tracking bugs for this issue: Affects: epel-all [bug 1716935]
External References: https://www.exim.org/static/doc/security/CVE-2019-10149.txt
Upstream commit: https://git.exim.org/exim.git/commitdiff/d740d2111f189760593a303124ff6b9b1f83453d
The above fix was included in mainline / 4.92 via the following commit from Sep 2018: https://git.exim.org/exim.git/commitdiff/7ea1237c783e380d7bdb86c90b13d8203c7ecf26